형식 보존 암호화를 사용하여 테이블 데이터를 재식별합니다.
더 살펴보기
이 코드 샘플이 포함된 자세한 문서는 다음을 참조하세요.
코드 샘플
C#
민감한 정보 보호의 클라이언트 라이브러리를 설치하고 사용하는 방법은 민감한 정보 보호 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
using System;
using Google.Api.Gax.ResourceNames;
using Google.Cloud.Dlp.V2;
using Google.Protobuf;
using static Google.Cloud.Dlp.V2.CryptoReplaceFfxFpeConfig.Types;
public class ReidentifyTableDataWithFpe
{
public static Table ReidentifyTableData(
string projectId,
string keyName,
string wrappedKey,
FfxCommonNativeAlphabet alphabet = FfxCommonNativeAlphabet.Numeric,
Table tableToInspect = null)
{
// Instantiate a client.
var dlp = DlpServiceClient.Create();
// Construct the table if null.
var table = tableToInspect;
if (table == null)
{
var row1 = new Value[]
{
new Value { StringValue = "28777" },
new Value { StringValue = "Justin" }
};
var row2 = new Value[]
{
new Value { StringValue = "28778" },
new Value { StringValue = "Gary" }
};
table = new Table
{
Headers =
{
new FieldId { Name = "Employee ID" },
new FieldId { Name = "Employee Name" }
},
Rows =
{
new Table.Types.Row { Values = { row1 } },
new Table.Types.Row { Values = { row2 } }
}
};
}
// Construct the content item by providing the table.
var contentItem = new ContentItem { Table = table };
// Specify how to decrypt the previously de-identified information.
var cryptoReplaceFfxFpeConfig = new CryptoReplaceFfxFpeConfig
{
CryptoKey = new CryptoKey
{
KmsWrapped = new KmsWrappedCryptoKey
{
CryptoKeyName = keyName,
WrappedKey = ByteString.FromBase64(wrappedKey)
}
},
CommonAlphabet = alphabet
};
// Specify the field to be decrypted.
var fields = new FieldId[] { new FieldId { Name = "Employee ID" } };
// Construct the re-identify config and specify the transformation.
var reidentifyConfig = new DeidentifyConfig
{
RecordTransformations = new RecordTransformations
{
FieldTransformations =
{
new FieldTransformation
{
PrimitiveTransformation = new PrimitiveTransformation
{
CryptoReplaceFfxFpeConfig = cryptoReplaceFfxFpeConfig,
},
Fields = { fields }
}
}
}
};
// Construct the request.
var request = new ReidentifyContentRequest
{
Parent = new LocationName(projectId, "global").ToString(),
Item = contentItem,
ReidentifyConfig = reidentifyConfig
};
// Call the API.
ReidentifyContentResponse response = dlp.ReidentifyContent(request);
// Inspect the response.
Console.WriteLine($"Table after re-identification: {response.Item.Table}");
return response.Item.Table;
}
}
Go
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import (
"context"
"encoding/base64"
"fmt"
"io"
dlp "cloud.google.com/go/dlp/apiv2"
"cloud.google.com/go/dlp/apiv2/dlppb"
)
// reidTableDataWithFPE re-identifies table data with FPE
func reidTableDataWithFPE(w io.Writer, projectID, kmsKeyName, wrappedAesKey string) error {
// projectId := "my-project-id"
/* kmsKeyName := "projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME"
*/
// wrappedAesKey := "YOUR_ENCRYPTED_AES_256_KEY"
ctx := context.Background()
// Initialize a client once and reuse it to send multiple requests. Clients
// are safe to use across goroutines. When the client is no longer needed,
// call the Close method to cleanup its resources.
client, err := dlp.NewClient(ctx)
if err != nil {
return err
}
// Closing the client safely cleans up background resources.
defer client.Close()
// Specify the table data that needs to be re-identified.
tableToReIdentify := &dlppb.Table{
Headers: []*dlppb.FieldId{
{Name: "Employee ID"},
},
Rows: []*dlppb.Table_Row{
{
Values: []*dlppb.Value{
{
Type: &dlppb.Value_StringValue{
StringValue: "90511",
},
},
},
},
},
}
// Specify the content you want to re-identify.
contentItem := &dlppb.ContentItem{
DataItem: &dlppb.ContentItem_Table{
Table: tableToReIdentify,
},
}
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
kmsWrappedCryptoKey, err := base64.StdEncoding.DecodeString(wrappedAesKey)
if err != nil {
return err
}
cryptoKey := &dlppb.CryptoKey{
Source: &dlppb.CryptoKey_KmsWrapped{
KmsWrapped: &dlppb.KmsWrappedCryptoKey{
WrappedKey: kmsWrappedCryptoKey,
CryptoKeyName: kmsKeyName,
},
},
}
// Specify how to un-encrypt the previously de-identified information.
cryptoReplaceFfxFpeConfig := &dlppb.CryptoReplaceFfxFpeConfig{
CryptoKey: cryptoKey,
Alphabet: &dlppb.CryptoReplaceFfxFpeConfig_CommonAlphabet{
CommonAlphabet: dlppb.CryptoReplaceFfxFpeConfig_NUMERIC,
},
}
primitiveTransformation := &dlppb.PrimitiveTransformation{
Transformation: &dlppb.PrimitiveTransformation_CryptoReplaceFfxFpeConfig{
CryptoReplaceFfxFpeConfig: cryptoReplaceFfxFpeConfig,
},
}
// Specify field to be decrypted.
fieldId := &dlppb.FieldId{
Name: "Employee ID",
}
// Associate the decryption with the specified field.
fieldTransformation := &dlppb.FieldTransformation{
Transformation: &dlppb.FieldTransformation_PrimitiveTransformation{
PrimitiveTransformation: primitiveTransformation,
},
Fields: []*dlppb.FieldId{
fieldId,
},
}
recordTransformations := &dlppb.RecordTransformations{
FieldTransformations: []*dlppb.FieldTransformation{
fieldTransformation,
},
}
deidentifyConfig := &dlppb.DeidentifyConfig{
Transformation: &dlppb.DeidentifyConfig_RecordTransformations{
RecordTransformations: recordTransformations,
},
}
// Combine configurations into a request for the service.
req := &dlppb.ReidentifyContentRequest{
Parent: fmt.Sprintf("projects/%s/locations/global", projectID),
ReidentifyConfig: deidentifyConfig,
Item: contentItem,
}
// Send the request and receive response from the service.
resp, err := client.ReidentifyContent(ctx, req)
if err != nil {
return err
}
// Print the result.
fmt.Fprintf(w, "Table after re-identification : %v", resp.GetItem().GetTable())
return nil
}
Java
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import com.google.cloud.dlp.v2.DlpServiceClient;
import com.google.common.io.BaseEncoding;
import com.google.privacy.dlp.v2.ContentItem;
import com.google.privacy.dlp.v2.CryptoKey;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig;
import com.google.privacy.dlp.v2.CryptoReplaceFfxFpeConfig.FfxCommonNativeAlphabet;
import com.google.privacy.dlp.v2.DeidentifyConfig;
import com.google.privacy.dlp.v2.FieldId;
import com.google.privacy.dlp.v2.FieldTransformation;
import com.google.privacy.dlp.v2.KmsWrappedCryptoKey;
import com.google.privacy.dlp.v2.LocationName;
import com.google.privacy.dlp.v2.PrimitiveTransformation;
import com.google.privacy.dlp.v2.RecordTransformations;
import com.google.privacy.dlp.v2.ReidentifyContentRequest;
import com.google.privacy.dlp.v2.ReidentifyContentResponse;
import com.google.privacy.dlp.v2.Table;
import com.google.privacy.dlp.v2.Table.Row;
import com.google.privacy.dlp.v2.Value;
import com.google.protobuf.ByteString;
import java.io.IOException;
public class ReIdentifyTableWithFpe {
public static void main(String[] args) throws Exception {
// TODO(developer): Replace these variables before running the sample.
String projectId = "your-project-id";
String kmsKeyName =
"projects/YOUR_PROJECT/"
+ "locations/YOUR_KEYRING_REGION/"
+ "keyRings/YOUR_KEYRING_NAME/"
+ "cryptoKeys/YOUR_KEY_NAME";
String wrappedAesKey = "YOUR_ENCRYPTED_AES_256_KEY";
Table tableToReIdentify =
Table.newBuilder()
.addHeaders(FieldId.newBuilder().setName("Employee ID").build())
.addRows(
Row.newBuilder()
.addValues(Value.newBuilder().setStringValue("28777").build())
.build())
.build();
reIdentifyTableWithFpe(projectId, tableToReIdentify, kmsKeyName, wrappedAesKey);
}
public static void reIdentifyTableWithFpe(
String projectId, Table tableToReIdentify, String kmsKeyName, String wrappedAesKey)
throws IOException {
// Initialize client that will be used to send requests. This client only needs to be created
// once, and can be reused for multiple requests. After completing all of your requests, call
// the "close" method on the client to safely clean up any remaining background resources.
try (DlpServiceClient dlp = DlpServiceClient.create()) {
// Specify what content you want the service to re-identify.
ContentItem contentItem = ContentItem.newBuilder().setTable(tableToReIdentify).build();
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
KmsWrappedCryptoKey kmsWrappedCryptoKey =
KmsWrappedCryptoKey.newBuilder()
.setWrappedKey(ByteString.copyFrom(BaseEncoding.base64().decode(wrappedAesKey)))
.setCryptoKeyName(kmsKeyName)
.build();
CryptoKey cryptoKey = CryptoKey.newBuilder().setKmsWrapped(kmsWrappedCryptoKey).build();
// Specify how to un-encrypt the previously de-identified information.
CryptoReplaceFfxFpeConfig cryptoReplaceFfxFpeConfig =
CryptoReplaceFfxFpeConfig.newBuilder()
.setCryptoKey(cryptoKey)
// Set of characters in the input text. For more info, see
// https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#DeidentifyTemplate.FfxCommonNativeAlphabet
.setCommonAlphabet(FfxCommonNativeAlphabet.NUMERIC)
.build();
PrimitiveTransformation primitiveTransformation =
PrimitiveTransformation.newBuilder()
.setCryptoReplaceFfxFpeConfig(cryptoReplaceFfxFpeConfig)
.build();
// Specify field to be decrypted.
FieldId fieldId = FieldId.newBuilder().setName("Employee ID").build();
// Associate the decryption with the specified field.
FieldTransformation fieldTransformation =
FieldTransformation.newBuilder()
.setPrimitiveTransformation(primitiveTransformation)
.addFields(fieldId)
.build();
RecordTransformations transformations =
RecordTransformations.newBuilder().addFieldTransformations(fieldTransformation).build();
DeidentifyConfig reidentifyConfig =
DeidentifyConfig.newBuilder().setRecordTransformations(transformations).build();
// Combine configurations into a request for the service.
ReidentifyContentRequest request =
ReidentifyContentRequest.newBuilder()
.setParent(LocationName.of(projectId, "global").toString())
.setItem(contentItem)
.setReidentifyConfig(reidentifyConfig)
.build();
// Send the request and receive response from the service
ReidentifyContentResponse response = dlp.reidentifyContent(request);
// Print the results
System.out.println("Table after re-identification: " + response.getItem().getValue());
}
}
}
Node.js
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
// Imports the Google Cloud Data Loss Prevention library
const DLP = require('@google-cloud/dlp');
// Instantiates a client
const dlp = new DLP.DlpServiceClient();
// The project ID to run the API call under
// const projectId = 'my-project';
// The set of characters to replace sensitive ones with
// For more information, see https://cloud.google.com/dlp/docs/reference/rest/v2/organizations.deidentifyTemplates#ffxcommonnativealphabet
// const alphabet = 'ALPHA_NUMERIC';
// The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key
// const keyName = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME';
// The encrypted ('wrapped') AES-256 key to use
// This key should be encrypted using the Cloud KMS key specified above
// const wrappedKey = 'YOUR_ENCRYPTED_AES_256_KEY'
// The name of the surrogate custom info type to use when reidentifying data
// const surrogateType = 'SOME_INFO_TYPE_DEID';
// Table to re-identify
const tablularData = {
headers: [{name: 'Employee ID'}],
rows: [{values: [{stringValue: '90511'}]}],
};
async function reidentifyTableWithFpe() {
// Specify field to be re-identified.
const fieldIds = [{name: 'Employee ID'}];
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it
const cryptoKeyConfig = {
kmsWrapped: {
wrappedKey: wrappedKey,
cryptoKeyName: keyName,
},
};
// Associate transformation with crypto key congurations.
const primitiveTransformation = {
cryptoReplaceFfxFpeConfig: {
cryptoKey: cryptoKeyConfig,
commonAlphabet: alphabet,
},
};
// Combine configurations into a request for the service.
const request = {
parent: `projects/${projectId}/locations/global`,
reidentifyConfig: {
recordTransformations: {
fieldTransformations: [
{
fields: fieldIds,
primitiveTransformation: primitiveTransformation,
},
],
},
},
item: {
table: tablularData,
},
};
// Send the request and receive response from the service.
const [response] = await dlp.reidentifyContent(request);
// Print the results.
console.log(
`Table after re-identification: ${JSON.stringify(response.item.table)}`
);
}
await reidentifyTableWithFpe();
PHP
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
use Google\Cloud\Dlp\V2\Client\DlpServiceClient;
use Google\Cloud\Dlp\V2\ContentItem;
use Google\Cloud\Dlp\V2\CryptoKey;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig;
use Google\Cloud\Dlp\V2\CryptoReplaceFfxFpeConfig\FfxCommonNativeAlphabet;
use Google\Cloud\Dlp\V2\DeidentifyConfig;
use Google\Cloud\Dlp\V2\FieldId;
use Google\Cloud\Dlp\V2\FieldTransformation;
use Google\Cloud\Dlp\V2\KmsWrappedCryptoKey;
use Google\Cloud\Dlp\V2\PrimitiveTransformation;
use Google\Cloud\Dlp\V2\RecordTransformations;
use Google\Cloud\Dlp\V2\ReidentifyContentRequest;
use Google\Cloud\Dlp\V2\Table;
use Google\Cloud\Dlp\V2\Table\Row;
use Google\Cloud\Dlp\V2\Value;
/**
* Re-identify table data with FPE.
*
* @param string $callingProjectId The Google Cloud project id to use as a parent resource.
* @param string $inputCsvFile The input file(csv) path to reidentify.
* @param string $outputCsvFile The oupt file path to save reidentify content.
* @param string $encryptedFieldNames The field to be encrypted.
* @param string $kmsKeyName The name of the Cloud KMS key used to encrypt ('wrap') the AES-256 key.
* Example: key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
* @param string $wrappedAesKey The encrypted ('wrapped') AES-256 key to use.
*
* */
function reidentify_table_fpe(
string $callingProjectId,
string $inputCsvFile,
string $outputCsvFile,
string $encryptedFieldNames,
string $kmsKeyName,
string $wrappedAesKey
): void {
// Instantiate a client.
$dlp = new DlpServiceClient();
$parent = "projects/$callingProjectId/locations/global";
// Read a CSV file.
$csvLines = file($inputCsvFile, FILE_IGNORE_NEW_LINES);
$csvHeaders = explode(',', $csvLines[0]);
$csvRows = array_slice($csvLines, 1);
// Convert CSV file into protobuf objects.
$tableHeaders = array_map(function ($csvHeader) {
return (new FieldId)
->setName($csvHeader);
}, $csvHeaders);
$tableRows = array_map(function ($csvRow) {
$rowValues = array_map(function ($csvValue) {
return (new Value())
->setStringValue($csvValue);
}, explode(',', $csvRow));
return (new Row())
->setValues($rowValues);
}, $csvRows);
// Construct the table object.
$tableToDeIdentify = (new Table())
->setHeaders($tableHeaders)
->setRows($tableRows);
// Specify the content to be reidentify.
$content = (new ContentItem())
->setTable($tableToDeIdentify);
// Specify an encrypted AES-256 key and the name of the Cloud KMS key that encrypted it.
$kmsWrappedCryptoKey = (new KmsWrappedCryptoKey())
->setWrappedKey(base64_decode($wrappedAesKey))
->setCryptoKeyName($kmsKeyName);
$cryptoKey = (new CryptoKey())
->setKmsWrapped($kmsWrappedCryptoKey);
// Specify how to un-encrypt the previously de-identified information.
$cryptoReplaceFfxFpeConfig = (new CryptoReplaceFfxFpeConfig())
->setCryptoKey($cryptoKey)
->setCommonAlphabet(FfxCommonNativeAlphabet::NUMERIC);
$primitiveTransformation = (new PrimitiveTransformation())
->setCryptoReplaceFfxFpeConfig($cryptoReplaceFfxFpeConfig);
// Specify field to be decrypted.
$encryptedFields = array_map(function ($encryptedFieldName) {
return (new FieldId())
->setName($encryptedFieldName);
}, explode(',', $encryptedFieldNames));
// Associate the decryption with the specified field.
$fieldTransformation = (new FieldTransformation())
->setPrimitiveTransformation($primitiveTransformation)
->setFields($encryptedFields);
$recordtransformations = (new RecordTransformations())
->setFieldTransformations([$fieldTransformation]);
$reidentifyConfig = (new DeidentifyConfig())
->setRecordTransformations($recordtransformations);
// Run request.
$reidentifyContentRequest = (new ReidentifyContentRequest())
->setParent($parent)
->setReidentifyConfig($reidentifyConfig)
->setItem($content);
$response = $dlp->reidentifyContent($reidentifyContentRequest);
// Print the results.
$csvRef = fopen($outputCsvFile, 'w');
fputcsv($csvRef, $csvHeaders);
foreach ($response->getItem()->getTable()->getRows() as $tableRow) {
$values = array_map(function ($tableValue) {
return $tableValue->getStringValue();
}, iterator_to_array($tableRow->getValues()));
fputcsv($csvRef, $values);
};
printf('Table after re-identification (File Location): %s', $outputCsvFile);
}
Python
Sensitive Data Protection의 클라이언트 라이브러리를 설치하고 사용하는 방법은 Sensitive Data Protection 클라이언트 라이브러리를 참조하세요.
Sensitive Data Protection에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
import base64
from typing import List
import google.cloud.dlp
def reidentify_table_with_fpe(
project: str,
table_header: List[str],
table_rows: List[List[str]],
reid_field_names: List[str],
key_name: str = None,
wrapped_key: bytes = None,
alphabet: str = None,
) -> None:
"""Uses the Data Loss Prevention API to re-identify sensitive data in a
table that was encrypted by Format Preserving Encryption (FPE).
Args:
project: The Google Cloud project id to use as a parent resource.
table_header: List of strings representing table field names.
table_rows: List of rows representing table data.
reid_field_names: A list of fields in table to re-identify.
key_name: The name of the Cloud KMS key used to encrypt ('wrap') the
AES-256 key. Example:
key_name = 'projects/YOUR_GCLOUD_PROJECT/locations/YOUR_LOCATION/
keyRings/YOUR_KEYRING_NAME/cryptoKeys/YOUR_KEY_NAME'
wrapped_key: The decrypted ('wrapped', in bytes) AES-256 key to use. This key
should be encrypted using the Cloud KMS key specified by key_name.
alphabet: The set of characters to replace sensitive ones with. For
more information, see https://cloud.google.com/dlp/docs/reference/
rest/v2/projects.deidentifyTemplates#ffxcommonnativealphabet
"""
# Instantiate a client.
dlp = google.cloud.dlp_v2.DlpServiceClient()
# Construct the `table`. For more details on the table schema, please see
# https://cloud.google.com/dlp/docs/reference/rest/v2/ContentItem#Table
headers = [{"name": val} for val in table_header]
rows = []
for row in table_rows:
rows.append({"values": [{"string_value": cell_val} for cell_val in row]})
table = {"headers": headers, "rows": rows}
# Convert table to `item`
item = {"table": table}
# Specify fields to be re-identified/decrypted.
reid_field_names = [{"name": _i} for _i in reid_field_names]
# Construct FPE configuration dictionary
crypto_replace_ffx_fpe_config = {
"crypto_key": {
"kms_wrapped": {"wrapped_key": wrapped_key, "crypto_key_name": key_name}
},
"common_alphabet": alphabet,
}
# Construct reidentify configuration dictionary
reidentify_config = {
"record_transformations": {
"field_transformations": [
{
"primitive_transformation": {
"crypto_replace_ffx_fpe_config": crypto_replace_ffx_fpe_config,
},
"fields": reid_field_names,
}
]
}
}
# Convert the project id into a full resource id.
parent = f"projects/{project}/locations/global"
# Call the API.
response = dlp.reidentify_content(
request={
"parent": parent,
"reidentify_config": reidentify_config,
"item": item,
}
)
# Print out results.
print(f"Table after re-identification: {response.item.table}")
다음 단계
다른 Google Cloud 제품의 코드 샘플을 검색하고 필터링하려면 Google Cloud 샘플 브라우저를 참조하세요.